Categories

Significant numbers of machines in enterprise networks are bot-infected

In a detailed 3 month long study conducted by the guys at Damballa, reports that enterprise networks are deeply infiltrated by bot-nets.

Bot infections are on the rise , and most come from bot-nets which do not get much publicity in the popular press.

“In a three-month study of more than 600 different bot-nets found having infiltrated enterprise networks, researchers from Damballa discovered nearly 60 percent are bot-nets that contain only a handful to a few hundred bots built to target a particular organization. Only 5 percent of the bot infections were from big-name bot-nets, such as Zeus/ZDbot and Koobface.

And Damballa has seen bot infections grow in enterprises as well, from 5 to 7 percent of an enterprise’s IP address space and hosts last year, to 7 to 9 percent of them bot-infected this year. “Of all the enterprises where we’ve gone into who are customers or as proof-of-concept, 100 percent have had botnet infections,” says Gunter Ollmann, vice president of research for Damballa. “It’s more the smaller, customized and targeted types of bot-nets [that infect the enterprise].

“Corporations have become very good at dealing with the larger threats that get publicized — they tend not to get affected widely by Conficker, for instance.”

Ollmann’s colleague, Erik Wu from Damballa, today revealed this latest research during a presentation at the Virus Bulletin Conference in Geneva.

Joe Stewart, a researcher with SecureWorks’ Counter Threat Unit, says bot-net operators who execute targeted attacks do so with fewer bots. “Entities that launch targeted attacks will have a smaller number of bots in their bot-net than non-targeted ones, for sure,” Stewart says.

The bad guys are also finding that deploying a small bot-net inside a targeted organization is a more efficient way of stealing information than deploying a traditional exploit on a specific machine. And Ollmann says many of the smaller bot-nets appear to have more knowledge of the targeted organization as well. “They are very strongly associated with a lot of insider knowledge … and we see a lot of hands-on command and control with these small bot-nets,” he says.

If they remotely control four or five hosts, for instance, then they issue commands to the bots to navigate network shares, retrieve files, or access databases, he says.

“I suspect that a sizable percentage of small bot-nets are those developed by people who understand or are operating inside a business as employees who want to gain remote access to corporate systems, or by criminal entities that have dug deep and gotten insider information on the environment,” Ollmann says. “The reason why we know this is the way the malware is constructed — how it’s specific to the host being targeted — and the types of command and control being used. Bot agents are often hard-coded with the command and control channel” so they can bypass network controls with a user’s credentials.

These bot-nets tend to rely on popular DIY malware kids, like Ivy and Zeus, to infect their victim machines, he says. And they are typically more automated than bots in the big bot-nets: “Some designed for the enterprise worm they way around the network and look for common protocols that are open in the enterprise” and infect files, and exploit other hosts in the network, Ollmann says.

But like most other cybercriminals, these mini bot-net operators then try to sell the data they’ve stolen to other criminals. “They try to sell information based on the bot they have, or individual bots based on the performance of a machine, or its physical location and IP address space,” he says”